“Microsoft said on Friday that it discovered new cyberattacks carried out by Nobelium, the codename the company has assigned to the Russian state-sponsored hacking group responsible for the SolarWinds hack last year.” msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/
Microsoft says new breach discovered in probe of suspected SolarWinds hackers datafloq.com/read/microsoft-says-new-breach-discovered-probe-suspected-solarwinds-hackers/15815
At the moment, the tech giant is still looking into the methods the attackers used, but it has seen evidence of password spray and brute-force attacks so far. It didn't name the three compromised entities in its initial report, and it also didn't say whether the attackers got their information from the machine owned by the company's customer support rep. Microsoft did admit, however, that the machine had access to basic account information for a small number of its customers and that the bad actors used that info to launch highly targeted attacks.
The company said it responded quickly and was able to remove the group's access to its customer service agent's device. It has also alerted the compromised entities and all other targets through its nation-state notification process. US officials believe Russia was behind the SolarWinds hacks and previously linked Nobelium to the country's intelligence agency. ("The latest cyberattack reported by Microsoft does not involve our company or our customers in any way," a SolarWinds spokesperson said in a statement.)
Just last month, Microsoft discovered that the same group has been running a sophisticated email-based spear-phishing campaign targeting government agencies, think tanks and non-governmental organizations. It sent out infected emails to its targets after infiltrating the mass mailing service used by the United States Agency for International Development or USAID. This new campaign focused more on IT companies, though it also targeted government organizations and NGOs to a smaller extent. Like in its previous activities, Nobelium mostly went for entities based in the US in this recent series of attacks. Around 10 percent of the targets is based in UK, while a smaller number is based in Germany and Canada.
Please enter a valid email address
Read full article at Engadget
26 June, 2021 - 12:46pm
Sign up or login to join the discussions!
The nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers, Microsoft said in a terse statement published late on a Friday afternoon.
The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses. With the exception of the three undisclosed entities, Microsoft said, the password-spraying campaign was “mostly unsuccessful.” Microsoft has since notified all targets, whether attacks were successful or not.
The discoveries came in Microsoft’s continued investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used SolarWinds software updates and other means to compromise networks belonging to nine US agencies and 100 private companies. The federal government has said Nobelium is part of the Russian government’s Federal Security Service.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft said in a post. “The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”
According to Reuters, Microsoft published the breach disclosure after one of the news outlet’s reporters asked the company about the notification it sent to targeted or hacked customers. Microsoft didn’t reveal the infection of the worker’s computer until the fourth paragraph of the five-paragraph post.
The infected agent, Reuters said, could access billing contact information and the services the customers paid for, among other things. “Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in,” the news service reported.
The SolarWinds supply chain attack wasn’t the only way Nobelium compromised its targets. Antimalware provider Malwarebytes has said it was also infected by Nobelium but through a different vector, which the company didn’t identify.
Both Microsoft and email management provider Mimecast have also said that they, too, were hacked by Nobelium, which then went on to use the compromises to hack the companies’ customers or partners.
Microsoft said that the password-spraying activity targeted specific customers, with 57 percent of them IT companies, 20 percent government organizations, and the rest nongovernmental organizations, think tanks, and financial services. About 45 percent of the activity focused on US interests, 10 percent targeted UK customers, and smaller numbers were in Germany and Canada. In all, customers in 36 countries were targeted.
Reuters, citing a Microsoft spokesman, said that the breach disclosed Friday wasn’t part of Nobelium's previous successful attack on Microsoft. The company has yet to provide key details, including how long the agent’s computer was compromised and whether the compromise hit a Microsoft-managed machine on a Microsoft network or a contractor device on a home network.
Friday’s disclosure came as a shock to many security analysts.
“I mean, Jesus, if Microsoft can’t keep their own kit clear of viruses, how is the rest of the corporate world supposed to?” Kenn White, product security principal at MongoDB, told me. “You would have thought that customer-facing systems would be some of the most hardened around.”
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
26 June, 2021 - 08:21am
The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Nobelium, a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks.
Microsoft said it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.” The affected customers were notified of the breach.
Nobelium followed up the SolarWinds cyberattack in May with a campaign against the US Agency for International Development (USAID). The group reportedly used one of USAID’s email marketing tools to send phishing messages to more than 150 organizations. Those messages contained a link used to distribute malware that could steal data, infect other devices, and more.
Microsoft said Nobelium’s recent targets were “primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.” The company said 45% of those targets were based in the U.S., 10% were based in the U.K., and the rest were spread across 36 different countries.
Few of those attacks bore fruit, however, with Microsoft saying Nobelium was only able to successfully compromise three of its targets. (It didn’t publicly disclose those targets, but it did say they were “being contacted through our nation-state notification process.”) It’s possible that successful attacks went unnoticed, but for now it seems Nobelium’s efforts have been ineffective.
Gaining access to the Microsoft customer support agent’s device might have change that, but the company said that its “support agents are configured with the minimal set of permissions required as part of our Zero Trust ‘least privileged access’ approach to customer information.” That approach helps keep Microsoft’s customers safe from rogue employees and malware alike.
PCMag PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis, LLC and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant. As an Amazon Associate, we earn from qualifying purchases.
26 June, 2021 - 03:29am
Microsoft warned affected customers to be careful when handling communications involving billing matters, and urged them to consider changing relevant usernames and email addresses. The company said that the phishing campaign targeted at least three entities, without providing further details. It also declined to disclose whether the customer service representative who was hacked was an official employee or a contractor.
Nobelium has been accused of carrying out the infamous SolarWinds hack. The cyber attack, first reported in December, exploited backdoor access to a popular network-management program distributed by the Texas-based SolarWinds company. The security breach went undetected for months and is believed to have affected the systems of more than 100 companies around the world, as well as nine US government agencies. In March it was revealed that the SolarWinds exploit also allowed hackers to gain access to email accounts belonging to then-Acting DHS Secretary Chad Wolf and members of the department’s cybersecurity team.
Microsoft said that the customer service breach is not related to the SolarWinds incident, although it was discovered while probing the massive hack.
In May, the software giant announced that it had uncovered a “wide-scale malicious email campaign” operated by Nobelium which used a mass-mailing service to “masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.”
Washington has claimed that Russian hackers are most likely behind the breach, but it has yet to back up the allegation with evidence. The Kremlin has strongly denied any involvement.
© Autonomous Nonprofit Organization “TV-Novosti”, 2005–2021. All rights reserved.
25 June, 2021 - 11:14pm
The hackers compromised a computer used by a Microsoft customer support employee that could have provided access to different types of information, including ”metadata” of accounts and billing contact information for the organization, a Microsoft spokesman said.
Microsoft is aware of three customers that were affected by the recent activity, the company said in a blog post.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said. “We responded quickly, removed the access and secured the device.”
The incident was part of a broader campaign—which involved other hacking techniques beyond leveraging the information taken from its support system—that primarily targeted technology companies and government agencies in 36 countries.
You will be charged $ + tax (if applicable) for The Wall Street Journal. You may change your billing preferences at any time in the Customer Center or call Customer Service. You will be notified in advance of any changes in rate or terms. You may cancel your subscription at anytime by calling Customer Service.
Please click confirm to resume now.
25 June, 2021 - 09:56pm
The agent’s device had access to Microsoft’s customer support tools and basic account information for a “small number of our customers,” which the hacker exploited to launch “highly-targeted attacks as part of a broader campaign,” the company said in a blog post Friday. Microsoft said it’s aware of three entities that were compromised in this phishing campaign, though it didn’t identify the victims. It said it has since removed the attacker’s access, secured the compromised device, and begun the process of alerting all affected customers through its nation-state notification process.
Microsoft’s Threat Intelligence Center attributed the attacks to Nobelium, the group of state-sponsored Russian hackers that wormed their way into the networks of major federal agencies, IT companies, and other entities around the world via compromised software from the Texas-based company, SolarWinds. In a statement to Reuters, Microsoft clarified that this latest attack is unrelated to Nobelium’s previous successful attack on the company, in which the group made off with some source code. A SolarWinds spokesperson echoed this in a statement to Gizmodo, saying: “The latest cyberattack reported by Microsoft does not involve our company or our customers in any way.”
In the warning, Microsoft told customers to be cautious when communicating with billing contacts and to consider changing their usernames and email addresses, the outlet reports. Microsoft also encouraged users on Friday to employ security best practices such as multi-factor authentication and zero-trust architecture, a security model that treats all users as potential threats until their identities can be properly authenticated. Moreover, Windows 11, which is scheduled to roll out later this year, will require a specific security feature called a TPM, or trusted platform module, on existing and new devices in order to upgrade.
Update: 6/26/2021, 1:08 p.m. ET: Added clarification from SolarWinds spokesperson.
25 June, 2021 - 08:03pm
It says the group used the tools for targeted attacks
The attack, Microsoft says, was part of a larger Nobelium campaign largely focused on IT companies and governments throughout the world. The company says it’s reached out to the customers who were affected by the hacking group’s use of the tools, and that Nobelium no longer has access to the customer support agent’s device.
Microsoft has talked about security a lot today, especially in relation to its upcoming Windows 11, as the company tries to make the case for requiring users to have specific hardware in order to upgrade. Incidents like these, where one compromised computer could give hackers a head start on future attacks, are illustrative of the cat-and-mouse game that Microsoft plays with those looking to breach its security.
Subscribe to get the best Verge-approved tech deals of the week.
Check your inbox for a welcome email.
25 June, 2021 - 05:49pm
The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds (SWI.N) and Microsoft.
Microsoft said it had warned the affected customers. A copy of one warning seen by Reuters said that the attacker belonged to the group Microsoft calls Nobelium and that it had access during the second half of May.
"A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.
When Reuters asked about that warning, Microsoft announced the breach publicly.
After commenting on a broader phishing campaign that it said had compromised a small number of entities, Microsoft said it had also found the breach of its own agent, who it said had limited powers.
The agent could see billing contact information and what services the customers pay for, among other things.
"The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft said.
Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.
Microsoft said it was aware of three entities that had been compromised in the phishing campaign.
It did not immediately clarify whether any had been among those whose data was viewed through the support agent, or if the agent had been tricked by the broader campaign.
Microsoft did not say whether the agent was at a contractor or a direct employee.
A spokesman said the latest breach by the threat actor was not part of Nobelium's previous successful attack on Microsoft, in which it obtained some source code.
In the SolarWinds attack, the group altered code at that company to access SolarWinds customers, including nine U.S. federal agencies.
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said that the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
DHS' Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.
Our Standards: The Thomson Reuters Trust Principles.
German carmaker Volkswagen (VOWG_p.DE) will stop selling combustion engines cars in Europe by 2035 as it shifts to electric vehicles, but later in the United States and China, a board member was quoted as saying on Saturday.
The most comprehensive solution to manage all your complex and ever-expanding tax and compliance needs.
The industry leader for online information for tax, accounting and finance professionals.
Information, analytics and exclusive news on financial markets - delivered in an intuitive desktop and mobile interface.
Access to real-time, reference, and non-real time data in the cloud to power your enterprise.
Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.
All quotes delayed a minimum of 15 minutes. See here for a complete list of exchanges and delays.
© 2021 Reuters. All rights reserved
25 June, 2021 - 05:21pm
Microsoft said Friday it has seen new attacks from the Russia-based group responsible for the attacks last winter on SolarWinds customers.
Driving the news: The company indicated the activity was targeted at specific customers including IT companies, government agencies, non-governmental organizations and think tanks, and financial services.
What they're saying: A U.S. government official told Axios that Microsoft has seen limited impact, and that it appears to be "largely unsuccessful run of the mill espionage."
Flashback: Nobelium recently targeted human rights and international aid groups.
In debuting Windows 11 on Thursday, Microsoft revealed not only a new operating system, but also its sharpest attack yet on the business practices of rivals Google and Apple.
Why it matters: Microsoft still holds the lion's share of the personal computer market. However, it is now trailing in the broader, three-way battle to power all the devices we use to access the internet.
The addition of support for Android apps in Windows 11 represented not only the biggest surprise at Microsoft's Thursday event, but also the biggest risk the company is taking with the new operating system.
Why it matters: The move instantly gives Windows the chance to offer thousands of key apps that prior versions didn't support, bolstering its utility, especially when in tablet mode. However, it also risks giving developers less incentive to create Windows-specific apps.
Texas Democrats sued Gov. Greg Abbott (R) for vetoing funding that covers thousands of paychecks in the state legislature after lawmakers walked off the House floor in May to block a restrictive voting bill.
Driving the news: Lawmakers argue in the suit that the veto was unconstitutional, adding that "[i]f given legal effect, Governor Abbott's unconstitutional veto will effectively result in the abolition of the Legislature..."